The government has released a long-delayed review of its own data handling practices, following pressure from MPs, which raises questions about the ability of Whitehall to safeguard sensitive information.
This review comes at a time when digital transformation is intended to reshape public services.
The Information Security Review, carried out in 2023 but withheld from publication for nearly two years, was released after sustained questioning from Dame Chi Onwurah, chair of the Science, Innovation and Technology Committee.
She pressed ministers to explain what steps had been taken to prevent a repeat of the 2022 Ministry of Defence (MoD) data breach, which was one of the most damaging in Whitehall’s history.
Afghan breach fallout
The Afghan data leak saw the personal details of over 18,000 Afghan nationals and their families, along with the names of UK MPs, officials and members of the military, mistakenly circulated in an unsecured spreadsheet.
The files were sent outside authorised government systems in February 2022, but this only came to light the following year, sparking outrage and a formal investigation by the Information Commissioner’s Office (ICO).
In correspondence with Dame Chi, cabinet office minister Pat McFadden and science secretary Peter Kyle confirmed that twelve of the review’s fourteen recommendations have been implemented, including strengthened security classifications, new cross-government training, and broader adoption of Microsoft 365 information protection tools.
However, ICO commissioner John Edwards said the government must go “further and faster” to raise standards and called for the establishment of a senior leadership board to enforce consistent practices across Whitehall.
Why keep it a secret?
The review, published publicly on Friday, identified three recurring causes of public sector breaches: uncontrolled mass data exports from government databases, sensitive details revealed in misdirected emails, and hidden personal information embedded in online spreadsheets.
Dame Chi accused the government of dragging its feet and deliberately limiting scrutiny.
“I’m glad this information security review has finally been made public, but it’s concerning that it took an intervention from my committee and the information commissioner to make this happen”, she said.
She added, “Why have only 12 of the 14 recommendations been implemented? And why was the very existence of this review kept secret for so long, even after the Afghan breach became public?”
She also confirmed that she has summoned McFadden and Edwards to give evidence before the committee next month, warning that trust in Whitehall’s ability to handle data securely remains fragile.
Digital ambitions under threat
The row comes as the government ramps up its digital transformation agenda, aiming to deliver more public services online and harness new technologies across departments.
That shift depends heavily on public trust in government systems to protect highly sensitive personal information.
Dame Chi added: “For the government to fulfil its ambitions of using tech to boost the economy and transform our public sector, it needs the public to trust that it can keep their data secure. If it can’t, how can anyone be comfortable handing over their personal information?”
Edwards echoed those concerns, warning that unless the recommendations are fully implemented and monitored, data security could become the Achilles’ heel of the government’s digital drive.